Students Baited by Phishing Scams

Kara Achilihu, a 20-year-old student at Towson University, searches her smartphone for her emails. A Louisiana native majoring in Business Administration, Achilihu flashes her phone when she finds the email she’s been looking for—an email from a once potential roommate.

On Feb. 10, she posted an ad looking for a roommate to share her apartment on the university’s off-campus housing website. The website provides a listing for students in the Towson community who have rooms available to rent or for students who are looking for rooms.

A little more than a week later, Achilihu received an email from a student named Marylin Scott. Riddled with bad grammar, the email said Marylin was a 29-year-old from Manchester, England who was coming to Towson University “for a research” and needed a room to stay for the semester. Marilyn said that she was looking forward to living with Achilihu, which made her feel like she had found “the roommate.”

“I was excited because the people I had been talking with before weren’t very interested or committed to rooming with me,” Achilihu said.

But Marilyn Scott wasn’t a student, nor was she in the U.K. The email was the same as dozens of others sent to students who post their contact information publicly on Towson’s off-campus housing site. By posing as students, those who operate the scams take advantage of students to get their personal information. Despite the obvious security threat, the university says there’s not much they can do to prevent the scams.

*******

Such as with Achilihu, many Americans are also affected by phishing scams. Phishing is the act of trying to gain a victim’s personal information, including passwords and bank account numbers, through electronic communication.

“This information could be used to access your email fraudulently and spread other phishing messages,” said Jeff Zankowitz, an Information Security Analyst for the Office of Technology Services at Towson University.

Phishing has become one of the top threats to internet security, which is done mostly through email communication. The United States is currently the top country with the most phishing websites.

“There are thousands of new malicious email messages created every day, so it is impossible to block 100 percent of all phishing, spam and malicious emails,” Zankowitz said.

Some phishing emails are so well disguised that it may be hard to tell the difference between a real email and a scam. But, there are several clues that people can look out for.

“Look out for more spelling and grammar issues, and check to see if the name matches the email address,” Zankowitz said.

Other signs, including the use of threats or amazing offers, are also signs of a phishing email. Phishers use these types of tactics to get an emotional response out of the user, which clouds their judgment, Zankowitz said.

Users should also be aware of email attachments they receive. Users shouldn’t trust the file extensions they see, especially “.zip” files, Zankowitz said.

“There are a variety of tricks to hide the file the phishers want the user to click on,” he said.

Even though it may seem hard to prevent getting a phishing email, there are some precautions users can take. Users should be mindful of what they click on, Zankowitz said.

“If in doubt, don’t click on it,” he said.

Users should also refrain from responding to any suspected spam emails. Responding could cause more phishing emails to be sent out or viruses to be downloaded. Zankowitz also warned against sending personal information over email.

“Legitimate businesses usually never ask users to send personal information over email, so people should be weary if they get an email that asks for personal information,” Zankowitz said.

Once people have been phished there isn’t much they can do, except to report their suspicious emails. People can report phishing emails to the Anti-Phishing Working Group, but Towson students can report suspicious messages to OTS.

“The most important thing students and employees of Towson can do is forward suspicious emails to phishing@towson.edu,” Zankowitz said. “OTS monitors the phishing@towson.edu email address and evaluates the emails sent there to ensure malicious links are blocked and to go gather data about current threats and trends in phishing messages.”

With phishing becoming a growing problem, users should be more aware of what they are getting in their inbox.

“When it comes to phishing, the best defense is you,” Zankowitz said.

*********

Prior to the email from Marylin, Achilihu had experience dealing with scams on Craigslist, where she had posted an additional roommate ad. Achilihu said that she expected some sort of scams because she often heard stories about them through Craigslist from the media and friends. But she never expected someone to scam her using her Towson student email. “I was thinking that no one would really go on the Towson website,” she said.

Over time, the details of the email stuck in Achilihus mind, making her increasingly suspicious. “I asked myself, why would someone be coming over in the middle of the school year,” she said.

When she became suspicious enough, she tried to call the phone number provided on Marylin’s first email. Her call went straight to a voicemail. She said the sender was using a text free app, a feature for smartphones that prevents the user from receiving calls. Moments later she received an automated text from Marylin, saying that she doesn’t like receiving calls and prefers texts.

Achilihu said the automated response was the deal breaker and that she stopped communicating with Marylin after that. She realized she had been tricked. “I was scared because they have my address and I was worried that something might happen,” she said. “You just never really know what they can do with what info.”

********

There has been no evidence that a Towson student has been successfully scammed and given their personal information. But in case a student does, they’ll soon realize it’s up to them to sort through the damages, alone.

The Towson University off-campus housing site has a disclaimer that states “Towson University accepts no responsibility for information contained within the Off-Campus Housing web site, Off-Campus Housing listings, or Off-Campus Housing Information posted by the university.” The site also says that the university does not screen roommates or potential landlords and that it is the student’s responsibility to inspect buildings and meet potential roommates. Essentially, the university is not responsible for any damages as a result of the scams.

Towson University has been aware of phishing scams on students for some time, said Jerry Dieringer, the Assistant Vice President of Towson’s Housing and Residence Life. “We have been alerted about these kinds of scams and we’ve seen plenty over the years,” he said.

Dieringer said the main problem is that off-campus listings must be available to the public and because it’s available, anyone interested can find a student’s contact information to use or abuse. If the listing was not public, Dieringer said that apartment complex owners and soon-to-be students wouldn’t be able to post their availability’s.

“The listing is open to the public and we want it open to the public because that’s the only way it works,” he said.

Dieringer also said it’s not doable for the university to screen potential users of the site because of the large number of posts and also because it updates weekly. The university can, however, remove listings that they have known in the past to be fake, but only if there is a reported history.

Jeffrey Koerber, a supervisor for Towson’s Office of Technology Services said that the university has the ability to block phishing emails on its network.

“We do everything to block them, but it’s like playing whack-a-mole,” Koerber said. “Every time we flag an email address, they can make another account and every time we ban an IP address they use a different computer.”

Koerber said that although the university has gone to great lengths to prevent phishing on its network, there is very little it can do for students email accounts because they are managed by Google and not by the university. Because of this arrangement, Koerber said that Towson student emails are about as protected as Gmail accounts.

Dieringer says that Towson’s Housing and Life department and OTS have worked together in the past to capture the email addresses of people sending scams, but they eventually stopped because people stopped falling for their “traps.”

“As you build a better mouse trap you get smarter mice,” he said.

Dieringer said the only way for the university to prevent damages is to keep students informed about the scams. He said that Towson has provided many ways for students to report scams, but it’s very rare for students to keep the university informed.

Dierienger said that while the university does what it can, at the same time “everybody needs to use their best judgment when they receive suspicious emails.”

******

A month later, Achilihu received another suspicious email. According to the email, Rose Baker was a 22-year-old Towson student and Florida resident currently attending her sister’s wedding in the UK.

Achilihu read the email once then ignored it, realizing it was a scam. She said the fact that Rose was overseas hinted that it was a scam and that the email was similar to the last one. But unlike the previous email, Achilihu noticed that the grammar was near perfect, which she believed could convince anyone without any phishing experience.

“It seems like they really stepped up their game because the grammar has really improved,” she said. Since the first phishing email, Achilihu said that she’s received three more scams over the following month.

Achilihu said that she didn’t blame Craigslist for being filled with scams because they have a disclaimer that warns users about the dangers of public posting. But she was surprised that Towson University did not explain to her that it was common for people to abuse her contact information. “Definitely at least warn us about them because everyone who posts for a roommate is being targeted,” she said.

Achilihu said she still has yet to find a roommate.

“I’m hoping to find a roommate soon,” she said. “Hopefully one that’s real.”